IETF Logo Mail Archive

Re: [websec] Strict-Transport-Security syntax redux

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 29 October 2011 19:02 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078BD21F869E for <websec@ietfa.amsl.com>; Sat, 29 Oct 2011 12:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZ+kEuAWIoyr for <websec@ietfa.amsl.com>; Sat, 29 Oct 2011 12:02:33 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id A896821F8677 for <websec@ietf.org>; Sat, 29 Oct 2011 12:02:32 -0700 (PDT)
Received: (qmail invoked by alias); 29 Oct 2011 19:02:28 -0000
Received: from dslb-094-222-141-108.pools.arcor-ip.net (EHLO HIVE) [94.222.141.108] by mail.gmx.net (mp038) with SMTP; 29 Oct 2011 21:02:28 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1+nXHUKcxOnyFKf30XVYugG7Vf3ST/Y1Fc2sJb/BZ LNsx+ZAwHkO4MI
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 29 Oct 2011 21:02:39 +0200
Message-ID: <u0joa71oun083kb85bo3citn5uj1t6k2va@hive.bjoern.hoehrmann.de>
References: <4EA99CFB.30801@KingsMountain.com> <4EA9B09E.9030001@gmx.de>
In-Reply-To: <4EA9B09E.9030001@gmx.de>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2011 19:02:34 -0000

* Julian Reschke wrote:
>> Strict-Transport-Security = "Strict-Transport-Security" ":"
>> directive *( ";" [ directive ] )
>>
>> STS directives:
>>
>> directive = max-age | includeSubDomains | STS-d-ext
>>
>> max-age = "max-age" "=" delta-seconds
>
>What happens with
>
>   max-age="1"
>
>?
>
>Do you expect all recipients to reject this? Depending on the parsing 
>API they use they might not even know that the value was quoted on the wire.

That doesn't matter much really, if you include relevant edge cases in
the specification along with the expected behavior, you are virtually
guaranteed that such issues are discovered quickly as implementers and
testers will start with what is in the specification to find problems,
and it's much less likely that APIs make it very difficult to implement
the right behavior at least compared to telling the difference between
<x/> and <x /> in an XML document using some XML parser API, as far as
my experience with HTTP APIs goes anyway.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email